Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]
From: Mimi Zohar
Date: Mon Feb 08 2016 - 10:04:24 EST
On Mon, 2016-02-08 at 13:55 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>
> > In addition, this patch set removes the IMA blacklist without any method for
> > adding blacklisted IMA keys to the system blacklist keyring.
>
> That's not true.
>
> Patch 18 enables userspace to add keys to the system blacklist keyring,
> provided those keys are validly signed:
>
> - KEY_USR_SEARCH,
> + KEY_USR_SEARCH | KEY_USR_WRITE,
> KEY_ALLOC_NOT_IN_QUOTA |
> KEY_FLAG_KEEP,
> - NULL, NULL);
> + restrict_link_by_system_trusted, NULL);
>
> After this commit, you can do everything with the system blacklist keyring
> that you can currently do with the IMA blacklist keyring.
Right, this patch makes the system blacklist keyring writable by
userspace and removes the IMA blacklist. What I don't understand is how
to add a key that is currently on the IMA keyring to the system
blacklist?
With the IMA blacklist, the same certificate that was added to the IMA
keyring could be added to the blacklist. (Probably not the best idea.)
The system black list currently only supports the TBSCertificate hash,
not the key-id. I have the signed certificate being added to the IMA
keyring. I'm missing the step of getting the TBSCertificate hash based
on the certificate.
Mimi